Greetings,
my network has multiple hosts, one of them seems to be isolated, I didn't configured any network isolation and I was wondering how to fix it.
that specific host has internet access, sees the router but thats it, other hosts cannot see him, if I want to access it via ssh, I need pass via openwrt.
I'm using openwrt 24.10, not sure what config I need to provide.
help appreciated,
Thanks
See how?
Ping, HTTP server, remote desktop?
Since it's assumed all of your devices are connected to the OpenWrt, can you clarify this statement?
Providing configs would also be helpful.
Network and wireless for starters (redact things like MAC, WiFi key, etc.).
sounds like a host issue, and not an openwrt issue ?
Sounds like the "isolated" host has too tight netmask defined. That is for example using /28 instaead of /24 or in other words using 255.255.255.240 instead of 255.255.255.0
it isn't reachable by ssh and ping. I can reach it using ssh if I use the router as proxy. for example from host1 to host2, I need to do this: ssh -J root@openwrt foo@host2
host2 is connected by lan, not wifi, do you still need wireless config?
here is my redacted network file:
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xxxx:xxxx:xxxx::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
option macaddr 'xx:xx:xx:xx:xx:xx'
option ipv6 '0'
list ports 'eth0'
list ports 'eth1'
list ports 'eth2'
list ports 'eth3'
list ports 'eth4'
list ports 'eth5'
list ports 'eth6'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '172.23.179.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'eth7'
option proto 'pppoe'
option username 'foo'
option password 'bar'
option ipv6 'auto'
option keepalive '0 1'
that might be, however I'm not sure where to start looking, any ideas?
the host's firewall ?
post router's /etc/config/firewall too.
as for the config file masking, only MACs and public IPs are considered being "sensitive data".
10: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
inet 172.23.179.3/24 brd 172.23.179.255 scope global dynamic noprefixroute vnet0
valid_lft 34328sec preferred_lft 27512sec
inet6 xxxx::xxxx:xx:xxxx:xxxx/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
in compare to a host without the issue:
4: br0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
inet 172.23.179.2/24 brd 172.23.179.255 scope global dynamic noprefixroute br0
valid_lft 32337sec preferred_lft 24931sec
inet6 xxxx::xxxx:xxxx:xxxx:xxxx/64 scope link
valid_lft forever preferred_lft forever
here
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
the host doesn't have firewall installed
Are you assigning these IPs to the hosts manually?
I noticed these IPs aren't in the normal DHCP range configured by default for LAN.
Also, what ports are these hosts connected to on the OpenWrt?
I'm assigning each host a static ip in the range of 172.23.179.1 to 172.23.179.255
as for ports, the good host is connected via eth2 and the bad one to eth0
There is nothing in the OpenWrt config that could block access to/from one host on the network to another. That all happens at l2 so the router isn’t even involved. The one exception would be if isolate clients is enabled in the WiFi settings. But this affects all WiFi clients, and is a WiFi specific setting (doesn’t affect Ethernet).
What operating system is the host in question?
alpine linux 3.21.3
Just to rule out the router (which I’m sure we can already do), do you have an unmanaged switch? Connect this host and at least one other to that switch. Then attempt to communicate between them. If it still doesn’t work, the router (which would no longer be in the physical path) absolutely cannot be involved and this cannot be responsible for the issue.
Alternatively, you could run another OS on that host - like Ubuntu on a live usb stick (no need to touch your existing installation).
Are you running docker on the effected maschine?
nope, I'm not
I think it is the host's os, I have no way to run alternative os on that host nor pass via a switch but the good host was connected directly before and it worked.
I'll contact alpine's forums. maybe they can help
Thanks for the help
Although hardly imaginable that this could work but swap ports.
But my guess it is the host, you wrote there is no firewall but are you sure?
utils-server:~# apk list -I | grep fire
utils-server:~#
I am sure
What about loaded iptables or nftables rules?